ark/modules/security/mitigations.nix

29 lines
772 B
Nix
Raw Normal View History

2022-02-18 20:31:01 +03:00
{
config,
lib,
...
}:
with lib; let
2021-05-03 09:19:54 +03:00
inherit (builtins) readFile fetchurl;
cfg = config.security.mitigations;
2022-02-18 20:31:01 +03:00
cmdline =
''
ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';
in {
2021-05-03 09:19:54 +03:00
options = {
2022-02-18 20:31:01 +03:00
security.mitigations.disable =
mkOption
{
type = types.bool;
default = false;
description =
''
Whether to disable spectre and meltdown mitigations in the kernel. Do
not use this in mission critical deployments, or on any machine you do
not have physical access to.
'';
};
2021-05-03 09:19:54 +03:00
};
2022-02-18 20:31:01 +03:00
config = mkIf cfg.disable { boot.kernelParams = splitString " " cmdline; };
2021-05-03 09:19:54 +03:00
}